Cisco Security Hole a Whopper

Kim Zetter
07.27.05

LAS VEGAS -- A bug discovered in an operating system that runs the majority of the world's computer networks would, if exploited, allow an attacker to bring down the nation's critical infrastructure, a computer security researcher said Wednesday against threat of a lawsuit.

Michael Lynn, a former research analyst with Internet Security Systems, quit his job at ISS Tuesday morning before disclosing the flaw at Black Hat Briefings, a conference for computer security professionals held annually here.

The security hole in Cisco IOS, the company's "infrastructure operating system" that controls its routers, was patched by Cisco in April, Lynn said, and the flawed version is no longer available for download. But Cisco didn't want the information disclosed until next year when a new version of the operating system would be out of beta testing and ready for distribution.

Routers are devices that direct information through a network. Cisco products account for the majority of routers that operate the backbone of the internet and many company networks.

Lynn likened IOS to Windows XP, for its ubiquity.

"But when there is a Windows XP bug, it's not really a big deal," Lynn said. "You can still ship (data through a network) because the routers will transmit (it). How do you ship (data) when the routers are dead?"

Lynn decided to speak now, he said, because the source code for Cisco IOS was recently stolen for the second time, and he felt he could no longer remain silent.

"Can anyone think why you would steal (the source code) if not to hack it?" Lynn asked the audience, noting that it took him six months to develop an attack to exploit the bug. "I'm probably about to be sued to oblivion. (But) the worst thing is to keep this stuff secret."

Lynn said that routers with updated firmware would likely be safe for now, but he was concerned that if one flaw existed, others did as well. It was possible to imagine a future scenario in which an attacker could write a worm that swiftly runs through Cisco routers and shuts them down behind it, essentially launching the kind of electronic Pearl Harbor attack that politicians have been warning about for several years.

"There are people out there looking for it, there are people who have probably found it who could be using it against either national infrastructure or any enterprise," said Ali-Reza Anghaie, a senior security engineer with an aerospace firm, who was in the audience.

The flaw that Lynn described would also allow more subtle attacks, because it permits a sophisticated attacker to gain complete control of the router. An attacker could sniff all traffic going over a network and alter it to, for example, read e-mail, prevent it from reaching its recipient or even change words in a message without the correspondents knowing.